Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fscrypt: fix left shift underflow when inode-&gt;i_blkbits &gt; PAGE_SHIFT<br /> <br /> When simulating an nvme device on qemu with both logical_block_size and<br /> physical_block_size set to 8 KiB, an error trace appears during<br /> partition table reading at boot time. The issue is caused by<br /> inode-&gt;i_blkbits being larger than PAGE_SHIFT, which leads to a left<br /> shift of -1 and triggering a UBSAN warning.<br /> <br /> [ 2.697306] ------------[ cut here ]------------<br /> [ 2.697309] UBSAN: shift-out-of-bounds in fs/crypto/inline_crypt.c:336:37<br /> [ 2.697311] shift exponent -1 is negative<br /> [ 2.697315] CPU: 3 UID: 0 PID: 274 Comm: (udev-worker) Not tainted 6.18.0-rc2+ #34 PREEMPT(voluntary)<br /> [ 2.697317] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014<br /> [ 2.697320] Call Trace:<br /> [ 2.697324] <br /> [ 2.697325] dump_stack_lvl+0x76/0xa0<br /> [ 2.697340] dump_stack+0x10/0x20<br /> [ 2.697342] __ubsan_handle_shift_out_of_bounds+0x1e3/0x390<br /> [ 2.697351] bh_get_inode_and_lblk_num.cold+0x12/0x94<br /> [ 2.697359] fscrypt_set_bio_crypt_ctx_bh+0x44/0x90<br /> [ 2.697365] submit_bh_wbc+0xb6/0x190<br /> [ 2.697370] block_read_full_folio+0x194/0x270<br /> [ 2.697371] ? __pfx_blkdev_get_block+0x10/0x10<br /> [ 2.697375] ? __pfx_blkdev_read_folio+0x10/0x10<br /> [ 2.697377] blkdev_read_folio+0x18/0x30<br /> [ 2.697379] filemap_read_folio+0x40/0xe0<br /> [ 2.697382] filemap_get_pages+0x5ef/0x7a0<br /> [ 2.697385] ? mmap_region+0x63/0xd0<br /> [ 2.697389] filemap_read+0x11d/0x520<br /> [ 2.697392] blkdev_read_iter+0x7c/0x180<br /> [ 2.697393] vfs_read+0x261/0x390<br /> [ 2.697397] ksys_read+0x71/0xf0<br /> [ 2.697398] __x64_sys_read+0x19/0x30<br /> [ 2.697399] x64_sys_call+0x1e88/0x26a0<br /> [ 2.697405] do_syscall_64+0x80/0x670<br /> [ 2.697410] ? __x64_sys_newfstat+0x15/0x20<br /> [ 2.697414] ? x64_sys_call+0x204a/0x26a0<br /> [ 2.697415] ? do_syscall_64+0xb8/0x670<br /> [ 2.697417] ? irqentry_exit_to_user_mode+0x2e/0x2a0<br /> [ 2.697420] ? irqentry_exit+0x43/0x50<br /> [ 2.697421] ? exc_page_fault+0x90/0x1b0<br /> [ 2.697422] entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> [ 2.697425] RIP: 0033:0x75054cba4a06<br /> [ 2.697426] Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08<br /> [ 2.697427] RSP: 002b:00007fff973723a0 EFLAGS: 00000202 ORIG_RAX: 0000000000000000<br /> [ 2.697430] RAX: ffffffffffffffda RBX: 00005ea9a2c02760 RCX: 000075054cba4a06<br /> [ 2.697432] RDX: 0000000000002000 RSI: 000075054c190000 RDI: 000000000000001b<br /> [ 2.697433] RBP: 00007fff973723c0 R08: 0000000000000000 R09: 0000000000000000<br /> [ 2.697434] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000<br /> [ 2.697434] R13: 00005ea9a2c027c0 R14: 00005ea9a2be5608 R15: 00005ea9a2be55f0<br /> [ 2.697436] <br /> [ 2.697436] ---[ end trace ]---<br /> <br /> This situation can happen for block devices because when<br /> CONFIG_TRANSPARENT_HUGEPAGE is enabled, the maximum logical_block_size<br /> is 64 KiB. set_init_blocksize() then sets the block device<br /> inode-&gt;i_blkbits to 13, which is within this limit.<br /> <br /> File I/O does not trigger this problem because for filesystems that do<br /> not support the FS_LBS feature, sb_set_blocksize() prevents<br /> sb-&gt;s_blocksize_bits from being larger than PAGE_SHIFT. During inode<br /> allocation, alloc_inode()-&gt;inode_init_always() assigns inode-&gt;i_blkbits<br /> from sb-&gt;s_blocksize_bits. Currently, only xfs_fs_type has the FS_LBS<br /> flag, and since xfs I/O paths do not reach submit_bh_wbc(), it does not<br /> hit the left-shift underflow issue.<br /> <br /> [EB: use folio_pos() and consolidate the two shifts by i_blkbits]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> platform/x86: int3472: Fix double free of GPIO device during unregister<br /> <br /> regulator_unregister() already frees the associated GPIO device. On<br /> ThinkPad X9 (Lunar Lake), this causes a double free issue that leads to<br /> random failures when other drivers (typically Intel THC) attempt to<br /> allocate interrupts. The root cause is that the reference count of the<br /> pinctrl_intel_platform module unexpectedly drops to zero when this<br /> driver defers its probe.<br /> <br /> This behavior can also be reproduced by unloading the module directly.<br /> <br /> Fix the issue by removing the redundant release of the GPIO device<br /> during regulator unregistration.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: bridge: fix use-after-free due to MST port state bypass<br /> <br /> syzbot reported[1] a use-after-free when deleting an expired fdb. It is<br /> due to a race condition between learning still happening and a port being<br /> deleted, after all its fdbs have been flushed. The port&amp;#39;s state has been<br /> toggled to disabled so no learning should happen at that time, but if we<br /> have MST enabled, it will bypass the port&amp;#39;s state, that together with VLAN<br /> filtering disabled can lead to fdb learning at a time when it shouldn&amp;#39;t<br /> happen while the port is being deleted. VLAN filtering must be disabled<br /> because we flush the port VLANs when it&amp;#39;s being deleted which will stop<br /> learning. This fix adds a check for the port&amp;#39;s vlan group which is<br /> initialized to NULL when the port is getting deleted, that avoids the port<br /> state bypass. When MST is enabled there would be a minimal new overhead<br /> in the fast-path because the port&amp;#39;s vlan group pointer is cache-hot.<br /> <br /> [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gve: Implement settime64 with -EOPNOTSUPP<br /> <br /> ptp_clock_settime() assumes every ptp_clock has implemented settime64().<br /> Stub it with -EOPNOTSUPP to prevent a NULL dereference.

A vulnerability was determined in SourceCodester Online Student Clearance System 1.0. The affected element is an unknown function of the file /Admin/delete-fee.php of the component Fee Table Handler. Executing manipulation of the argument ID can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.

A security flaw has been discovered in D-Link DIR-823X up to 20250416. This affects the function sub_415028 of the file /goform/set_wan_settings. The manipulation of the argument ppp_username results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xsk: avoid data corruption on cq descriptor number<br /> <br /> Since commit 30f241fcf52a ("xsk: Fix immature cq descriptor<br /> production"), the descriptor number is stored in skb control block and<br /> xsk_cq_submit_addr_locked() relies on it to put the umem addrs onto<br /> pool&amp;#39;s completion queue.<br /> <br /> skb control block shouldn&amp;#39;t be used for this purpose as after transmit<br /> xsk doesn&amp;#39;t have control over it and other subsystems could use it. This<br /> leads to the following kernel panic due to a NULL pointer dereference.<br /> <br /> BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] SMP NOPTI<br /> CPU: 2 UID: 1 PID: 927 Comm: p4xsk.bin Not tainted 6.16.12+deb14-cloud-amd64 #1 PREEMPT(lazy) Debian 6.16.12-1<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014<br /> RIP: 0010:xsk_destruct_skb+0xd0/0x180<br /> [...]<br /> Call Trace:<br /> <br /> ? napi_complete_done+0x7a/0x1a0<br /> ip_rcv_core+0x1bb/0x340<br /> ip_rcv+0x30/0x1f0<br /> __netif_receive_skb_one_core+0x85/0xa0<br /> process_backlog+0x87/0x130<br /> __napi_poll+0x28/0x180<br /> net_rx_action+0x339/0x420<br /> handle_softirqs+0xdc/0x320<br /> ? handle_edge_irq+0x90/0x1e0<br /> do_softirq.part.0+0x3b/0x60<br /> <br /> <br /> __local_bh_enable_ip+0x60/0x70<br /> __dev_direct_xmit+0x14e/0x1f0<br /> __xsk_generic_xmit+0x482/0xb70<br /> ? __remove_hrtimer+0x41/0xa0<br /> ? __xsk_generic_xmit+0x51/0xb70<br /> ? _raw_spin_unlock_irqrestore+0xe/0x40<br /> xsk_sendmsg+0xda/0x1c0<br /> __sys_sendto+0x1ee/0x200<br /> __x64_sys_sendto+0x24/0x30<br /> do_syscall_64+0x84/0x2f0<br /> ? __pfx_pollwake+0x10/0x10<br /> ? __rseq_handle_notify_resume+0xad/0x4c0<br /> ? restore_fpregs_from_fpstate+0x3c/0x90<br /> ? switch_fpu_return+0x5b/0xe0<br /> ? do_syscall_64+0x204/0x2f0<br /> ? do_syscall_64+0x204/0x2f0<br /> ? do_syscall_64+0x204/0x2f0<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> [...]<br /> Kernel panic - not syncing: Fatal exception in interrupt<br /> Kernel Offset: 0x1c000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)<br /> <br /> Instead use the skb destructor_arg pointer along with pointer tagging.<br /> As pointers are always aligned to 8B, use the bottom bit to indicate<br /> whether this a single address or an allocated struct containing several<br /> addresses.

A vulnerability was found in code-projects Chamber of Commerce Membership Management System 1.0. Impacted is an unknown function of the file /membership_profile.php of the component Your Info Handler. Performing manipulation of the argument Full Name/Address/City/State results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

A vulnerability has been found in TykoDev cherry-studio-TykoFork 0.1. This issue affects the function redirectToAuthorization of the file /.well-known/oauth-authorization-server of the component OAuth Server Discovery. Such manipulation of the argument authorizationUrl leads to os command injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

A flaw has been found in code-projects Question Paper Generator up to 1.0. This vulnerability affects unknown code of the file /selectquestionuser.php. This manipulation of the argument subid causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.

A vulnerability was found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. Affected by this vulnerability is an unknown functionality of the file /dishsub.php. The manipulation of the argument item.name results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.